SECURE BEACONS - Patent 3661243

(19)

(11)

EP 3 661 243 A1

(12)	EUROPEAN PATENT APPLICATION

(43)	Date of publication:
	03.06.2020 Bulletin 2020/23

(21)	Application number: 18209059.7

(22)	Date of filing: 29.11.2018

(51)

International Patent Classification (IPC):

H04W 12/06^(2009.01)
H04L 9/06^(2006.01)

H04W 4/80^(2018.01)
H04L 9/32^(2006.01)

(84)	Designated Contracting States:
	AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
	Designated Extension States:
	BA ME
	Designated Validation States:
	KH MA MD TN

(71)	Applicant: Nagravision S.A.
	1033 Cheseaux-sur-Lausanne (CH)

(72)	Inventor:
	AUMASSON, Jean-Philippe 1033 Cheseaux-sur-Lausanne (CH)

(74)	Representative: Hoyng Rokh Monegier LLP
	Rembrandt Tower, 31st Floor Amstelplein 1 1096 HA Amsterdam 1096 HA Amsterdam (NL)

(54)	SECURE BEACONS

(57) A method for securing a beacon signal in a network comprising a transmitter for broadcasting the beacon signal and one or more receivers for receiving the beacon signal, wherein the beacon signal comprises a data packet (103) including a payload (106) that comprises a first field containing broadcast information from the transmitter and a second field (204) for storing authentication information, the method comprising: computing, using a secret key, a message authentication code over the payload; extracting bytes from the message authentication code to obtain the authentication information; and encrypting the first field using a symmetric cipher which takes as parameter the secret key and a nonce, wherein the nonce comprises the authentication information, the encrypting resulting in an encrypted first field, the resulting secure beacon signal (200) comprising the encrypted first field (203) and the second field (204) with the authentication information.

Description

TECHNICAL FIELD

[0001] The present disclosure relates to a computer-implemented method for securing a beacon signal, a computer-implemented method for processing a received secure beacon signal, a transmitter configured for securing a beacon signal, a receiver configured for processing a received secure beacon signal, and a secure beacon signal.

BACKGROUND ART

[0002] Bluetooth Low-Energy (BLE), as defined in the Bluetooth 4.0 and subsequent standard versions, supports the broadcast transmission of beacons, which are small packets of data typically aimed to inform a receiver of a tag's presence. Typically, the beacon includes the identifier of the tag. Such tags transmitting beacons are for example used in supply chain applications, to track items, containers, et cetera.

[0003] Broadcast beacons are typically sent in clear, i.e. without encryption or authentication mechanisms. An attacker can therefore create and transmit such beacon in order to impersonate a tag. In comparison, Bluetooth communications that use a pairing mechanism as opposed to broadcast communications, can use Bluetooth-standardized authenticated encryption.

[0004] FIG. 1 shows a broadcast network 10, including two transmitters 1a, 1b, such as Bluetooth tags. The arrows from the transmitters 1a, 1b depict broadcast signals. The receiver 3 receives a broadcast signal, depicted by the arrow towards the receive 3. An attacker device 2 may pick up the broadcast signal and impersonate a legitimate tag by transmitting the broadcast signal again, possibly in an altered form. FIG. 1 also shows a remote network 4, to which the device 3 may be communicatively connected.

[0005] It is generally considered problematic that beacon signals can be impersonated and misused. There is a need for secure broadcast beacons in order to prevent spoofing of beacons and/or protect the confidentiality and integrity of the data transmitted in the beacon signal.

SUMMARY

[0006] According to an aspect of the disclosure, a computer-implemented method is proposed for securing a beacon signal in a network comprising a transmitter for broadcasting the beacon signal and one or more receivers for receiving the beacon signal. The beacon signal can comprise a data packet. The data packet can include a payload. The payload can comprise a first field containing broadcast information from the transmitter and a second field for storing authentication information. The method can comprise computing - by using a secret key - a message authentication code over at least a part of the payload. The method can further comprise extracting a predefined number of bytes from the message authentication code to obtain the authentication information. The number of bytes can be equal to or less than the length of the second field. The method can further comprise encrypting at least part of the first field using a symmetric cipher which takes as parameter the secret key and a nonce. The nonce can comprise the authentication information. The encrypting procedure can result in an encrypted first field. The resulting secure beacon signal can comprise the data packet, wherein the payload comprises the encrypted first field and the second field contains the authentication information.

[0007] In an embodiment the symmetric cipher can be a length-preserving symmetric cipher which takes as parameter the secret key and the nonce.

[0008] In an embodiment the data packet can further comprise a sequence number field for storing a sequence number, wherein the sequence number can be incremented for each new beacon signal transmitted by the transmitter, and wherein the nonce can be based on the authentication information and the sequence number, the nonce preferably comprising a concatenation of the authentication information and the sequence number and padded with zeros to obtain the nonce having a predetermined length.

[0009] In an embodiment the data packet can further comprise an identification field containing an identifier of the transmitter. The secret key can be associated with the identifier of the transmitter.

[0010] In an embodiment the data packet can be a Bluetooth Low-Energy advertising packet data unit.

[0011] According to an aspect of the disclosure, a computer-implemented method is proposed for processing a received secure beacon signal in a network comprising a transmitter for broadcasting the secure beacon signal and one or more receivers for receiving the secure beacon signal. The secure beacon signal can comprise a data packet. The data packet can include a payload. The payload can comprise a first field comprising encrypted broadcast information and a second field containing authentication information. The method can comprise receiving the secure beacon signal in a receiver. The method can further comprise decrypting the encrypted first field using a symmetric cipher which takes as parameter a secret key and a nonce. The nonce can comprise the authentication information, the decrypting resulting in a decrypted first field

[0012] In an embodiment the symmetric cipher can be a length-preserving symmetric cipher which takes as parameter the secret key and the nonce.

[0013] In an embodiment the data packet can further comprises a sequence number field comprising a sequence number. The nonce can be based on the authentication information and the sequence number, the nonce preferably comprising a concatenation of the authentication information and the sequence number and padded with zeros to obtain the nonce having a predetermined length.

[0014] In an embodiment the data packet can further comprise an identification field containing an identifier of the transmitter. The secret key can be associated to the identifier of the transmitter. The method can further comprise obtaining the secret key based on the identifier.

[0015] In an embodiment the method can further comprise computing a message authentication code over at least a part of the payload after decrypting, and using the secret key. The method can further comprise extracting a predefined number of bytes from the message authentication code to obtain further authentication information. The number of bytes can be equal to or less than the length of the second field. The method can further comprise comparing the further authentication information with the authentication information to verify an authenticity of the data packet.

[0016] In an embodiment the second field can be set to a predetermined value other than the authentication information before computing the message authentication code, the predetermined value preferably being zero.

[0017] In an embodiment the data packet can be a Bluetooth Low-Energy advertising packet data unit.

[0018] According to an aspect of the disclosure, a transmitter is proposed that is configured for securing a beacon signal. The transmitter can comprise a processor configured to perform one or more of the above described steps for securing a beacon signal. The transmitter can include an antenna for broadcasting the secure beacon signal to one or more receivers.

[0019] According to an aspect of the disclosure, a receiver is proposed that is configured for processing a received secure beacon signal. The receiver can comprise an antenna for receiving the secure beacon signal broadcast from a transmitter. The receiver can further comprise a processor configured to perform one or more of the above described steps for processing a received secure beacon signal.

[0020] According to an aspect of the disclosure, a secure beacon signal is proposed that comprises a data packet, the data packet including a payload, wherein the payload comprises an encrypted first field containing broadcast information from a transmitter and a second field containing authentication information, wherein at least a part of the first field is encrypted, and wherein the secure beacon signal has been generated according to one or more of the above described steps for securing a beacon signal.

[0021] Hereinafter, embodiments of the disclosure will be described in further detail. It should be appreciated, however, that these embodiments may not be construed as limiting the scope of protection for the present disclosure.

BRIEF DESCRIPTION OF DRAWINGS

[0022] Embodiments will now be described, by way of example only, with reference to the accompanying schematic drawings in which corresponding reference symbols indicate corresponding parts, and in which:

FIG. 1 shows a broadcast network;

FIG. 2 shows a packet data format of a Bluetooth Low Energy data packet;

FIG. 3 shows a secure beacon data format of an exemplary embodiment;

FIG. 4 shows a flow chart of an exemplary method for securing a beacon signal; and

FIG. 5 shows a flow chart of an exemplary method for processing a received secure beacon signal.

[0023] The figures are meant for illustrative purposes only, and do not serve as restriction of the scope or the protection as laid down by the claims.

DESCRIPTION OF EMBODIMENTS

[0024] In the following examples a beacon in the form of a Bluetooth Low-Energy (BLE) advertising packet data unit (PDU), as defined in the Bluetooth Specification 4.0 and subsequent versions of the Bluetooth standard, will be discussed. The disclosure is not limited to BLE and may be applied to other type of beacons.

[0025] When a BLE peripheral device broadcasts packets to every device around it, this is called BLE advertising. The receiving device can act on the received advertised information or be triggered by the advertisement to connect to the BLE peripheral device to receive more information. Principally BLE advertising is unidirectional.

[0026] The 2.4GHz spectrum for Bluetooth extends from 2402MHz to 2480MHz. BLE uses 40 1MHz wide channels, numbered 0 to 39. Each is separated by 2MHz. Channels 37, 38, and 39 are used for sending advertisement packets.

[0027] BLE advertisements are transmitted at a fixed interval from 20ms to 10.24 seconds, in steps of 0.625ms, possibly with a random delay. The random delay may be a pseudo-random value from 0ms to 10ms that is automatically added. This randomness may help reduce the possibility of collisions between advertisements of different devices.

[0028] FIG. 2 shows the packet data format of a BLE data packet. The BLE data packet has several parts including a preamble 101, an access address 102, a packet data unit (PDU) 103 and a CRC 104. The advertisement channel PDU 103 includes a 2-byte header 105 and a variable payload 106 of 6 to 37 bytes. The actual length of the payload is defined by a 6-bit length field in the header 105 of the advertising channel PDU 103.

[0029] The header 105 further includes a 4 bits PDU type indicator. There are several PDU types for the advertisements, including ADV_IND having a PDU type of "0000", ADV_NONCONN_IND having a PDU type of "0010" and ADV_SCAN_IND having a PDU type of "0110". ADV_IND is a generic advertisement and usually the most common. It's generic in that it is not directed and it is connectable: this means that a device can connect to the peripheral that is advertising, and it is not directed towards a particular device. When a peripheral device sends an ADV IND advertisements, it may be detected by devices such as smartphones or any other Bluetooth capable device. Once found, a device may begin a connection process, display information from the advertisement or act in any other manner based on the advertised information. ADV_NONCONN_IND is an advertisement type used when the peripheral does not want to accept connections, which is typical in beacons.

[0030] The advertisement channel PDU 103 has an advertising payload 106 that depends on the advertising PDU type. FIG. 2 shows the ADV_IND payload. This payload has an advertisement address 107 of 6 bytes and a variable number of advertisement data structures 108...109. The advertisement address 107 is typically referred to as the Bluetooth MAC Address although another address may be used. The advertisement payload 108...109 has a maximum of 31 bytes for actual advertisement data structures. Each advertisement data structure typically includes a length field 110, type field 111, and data field 112. By using a data type of 0xFF in the type field 111, the Bluetooth Standard allows for manufacturer specific data to be broadcast, giving the possibility of custom payload.

[0031] The present disclosure enables the payload of a beacon, such as the BLE advertisement, to be encrypted, resulting in a secure beacon 200, such as shown in FIG. 3. Advantageously, the payload of the secure beacon can be of the same size as the clear beacon to not interfere with the original BLE advertising scheme. Normally, overhead is created when encrypting a data packet, for example to encode a nonce - e.g. initial value, or IV - and to append an authentication tag, generated by a message authenticated code or by an authenticated cipher. The secure beacon 200 is special in that it can add cryptographic protection to the advertisement payload 108 without adding overhead to the packet, as will be explained in more detail.

[0032] In the example of FIG. 3 the advertising payload 108 is encrypted. In case the beacon includes multiple advertising payloads, for example also advertising payload 109, one or more of the advertising payloads 108... 109 may be encrypted.

[0033] The advertising payload 108 may include a number of further fields 201-204. The order of the further fields may be varied and there may be less or more further fields. The secure beacon 200 may include a field 201 for storing a sequence number, which may be incremented for each new beacon sent by a tag. The secure beacon may further include a field 202 for storing a tag's ID. Preferably, the tag ID is a unique parameter, shared with the receiver of the beacon signal. Possibly the receiver is a remote server, depending on the system's architecture. The secure beacon further includes a field 204 of U bytes of unused data, where U is preferably at least equal to 4. The field 203 contains the actual beacon information. In an alternative embodiment, not shown, the sequence number field 201 and/or the tag ID field 202 may be stored in another part of the advertisement beacon, such as in the header 105.

[0034] A beacon is transformed into a secure beacon in two steps, using a secret key K. Preferably the secret key K is at least 16 bytes in length. In a first step a message authentication code (MAC) may be computed over the advertising payload 108. Hereto, B bytes of the advertising payload 108, possibly all 31 bytes in case there are no other advertising payloads, is computed. Thus, MAC(K,B) is calculated. Before the first step the field 204 contained a predefined value, preferably U bytes of zero ("0000" in case U equals 4).

[0035] Then U bytes may be extracted from the calculated MAC. This may be any predefined U bytes, for example the first four bytes of the calculated MAC. These U bytes from the calculated MAC are copied to the field 204 of the beacon.

[0036] In a second step the beacon may be encrypted. Hereto, the U bytes from the MAC and the beacon's sequence number may be combined to form a nonce. This combination may be made in any mathematical manner, for example by concatenating the U bytes from the MAC and sequence number. The result may be padded with zeroes to form a nonce of predefined length. The nonce may then be used to encrypt selected fields of the beacon, such as the information field 203. Alternatively or additionally, other advertising payloads such as advertising payload 109 or part thereof may be encrypted using the nonce. Preferably, a length-preserving symmetric cipher is used for encrypting the selected fields, such as AES-CTR, which takes as parameter the secret key K and the nonce. Fields to be encrypted may be any fields of the beacon, except for the sequence number field 201, the tag ID field 202, and the U bytes from the MAC in field 204. When the selected fields have been encrypted, the secure beacon is formed and ready for broadcast.

[0037] When the receiver receives the secure beacon, the secure beacon may be decoded to obtain the beacon information. Decoding of the secure beacon includes a decryption step, possibly followed by authenticity verification.

[0038] For decrypting the secure beacon, the tag's ID may be read from the tag ID field 202. The receiver may be configured to obtain the cryptographic key K associated to the tag ID, e.g. from an internal lookup table or from a remote server. Next, the nonce may be reconstructed by concatenating the U bytes from the MAC received in field 204 and the sequence number received in field 201. Using the key K and the nonce, the encrypted fields may be decrypted.

[0039] The authenticity of the decrypted beacon may be verified as follows. From the decrypted beacon, the U bytes from the MAC may be read from the field 204 and thereafter field 204 may be set to the predefined value, such as U bytes of zero ("0000" in case U equals 4). The message authentication code may be calculated using the key K over the B bytes of the advertising payload 108, resulting in MAC_verification(K,B). U bytes may be extracted from the calculated MAC_verification(K,B), from the same byte locations as in the authentication step described above. The U bytes from the calculated MAC_verification(K,B) may be compared with the U bytes from the MAC obtained from the received secure beacon. If the values match, the secure beacon may be considered authentic. If the values don't match, the tag may be rejected as invalid and the decrypted content may be discarded.

[0040] FIG. 4 shows a flow chart of an exemplary method for securing a beacon signal 1000. In step 1001 a message authentication code may be computed over at least a part of the payload using a secret key. In step 1002 a predefined number of bytes may be extracted from the message authentication code to obtain the authentication information, the number of bytes being equal to or less than the length of the second field. In step 1003 at least part of the first field may be encrypted using a symmetric cipher which takes as parameter the secret key and a nonce, wherein the nonce comprises the authentication information. The encrypting may result in an encrypted first field and the resulting secure beacon signal 200 may comprise the data packet, wherein the payload comprises the encrypted first field 203 and the second field 204 contains the authentication information.

[0041] FIG. 5 shows a flow chart of an exemplary method for processing a received secure beacon signal. In step 2000 the secure beacon signal may be received in a receiver. In step 2002 the encrypted first field may be decrypted using a symmetric cipher which may take as parameter a secret key and a nonce. The nonce may comprise the authentication information obtained from the secure beacon signal in step 2001. The decrypting may result in a decrypted first field. In step 2003 a message authentication code may be computed over at least a part of the payload after decrypting, and using the secret key. In step 2004 a predefined number of bytes may be extracted from the message authentication code to obtain further authentication information. The number of bytes is equal to or less than the length of the second field. In step 2005 the further authentication information is compared with the authentication information to verify an authenticity of the data packet.

[0042] One or more embodiments of the disclosure may be implemented as a computer program product for use with a computer system. The program(s) of the program product may define functions of the embodiments, including the methods described herein, and can be contained on a variety of computer-readable storage media. The computer-readable storage media may be non-transitory storage media. Illustrative computer-readable storage media include, but are not limited to: (i) non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive, ROM chips or any type of solid-state non-volatile semiconductor memory) on which information may be permanently stored; and (ii) writable storage media (e.g., hard disk drive or any type of solid-state random-access semiconductor memory, flash memory) on which alterable information may be stored.

Claims

1. A computer-implemented method for securing a beacon signal in a network (10) comprising a transmitter (1a, 1b) for broadcasting the beacon signal and one or more receivers (3) for receiving the beacon signal, wherein the beacon signal comprises a data packet (103), the data packet including a payload (106), wherein the payload comprises a first field containing broadcast information from the transmitter and a second field (204) for storing authentication information, the method comprising:

computing, using a secret key, a message authentication code over at least a part of the payload;

extracting a predefined number of bytes from the message authentication code to obtain the authentication information, the number of bytes being equal to or less than the length of the second field; and

encrypting at least part of the first field using a symmetric cipher which takes as parameter the secret key and a nonce, wherein the nonce comprises the authentication information, the encrypting resulting in an encrypted first field,

wherein the resulting secure beacon signal (200) comprises the data packet, wherein the payload comprises the encrypted first field (203) and the second field (204) contains the authentication information.

2. The method according to claim 1, wherein the symmetric cipher is a length-preserving symmetric cipher which takes as parameter the secret key and the nonce.

3. The method according to claim 1 or 2, wherein the data packet further comprises a sequence number field (201) for storing a sequence number, wherein the sequence number is incremented for each new beacon signal transmitted by the transmitter, and wherein the nonce is based on the authentication information and the sequence number, the nonce preferably comprising a concatenation of the authentication information and the sequence number and padded with zeros to obtain the nonce having a predetermined length.

4. The method according to any one of the claims 1-3, wherein the data packet further comprises an identification field (202) containing an identifier of the transmitter, and wherein the secret key is associated with the identifier of the transmitter.

5. The method according to any one of the claims 1-4, wherein the data packet is a Bluetooth Low-Energy advertising packet data unit.

6. A computer-implemented method for processing a received secure beacon signal in a network (10) comprising a transmitter (1a, 1b) for broadcasting the secure beacon signal and one or more receivers (3) for receiving the secure beacon signal, wherein the secure beacon signal comprises a data packet (103), the data packet including a payload (106), wherein the payload comprises a first field (203) comprising encrypted broadcast information and a second field (204) containing authentication information, the method comprising:

receiving the secure beacon signal in a receiver; and

decrypting the encrypted first field using a symmetric cipher which takes as parameter a secret key and a nonce, wherein the nonce comprises the authentication information, the decrypting resulting in a decrypted first field.

7. The method according to claim 6, wherein the symmetric cipher is a length-preserving symmetric cipher which takes as parameter the secret key and the nonce

8. The method according to claim 6 or 7, wherein the data packet further comprises a sequence number field (201) comprising a sequence number, and wherein the nonce is based on the authentication information and the sequence number, the nonce preferably comprising a concatenation of the authentication information and the sequence number and padded with zeros to obtain the nonce having a predetermined length.

9. The method according to any one of the claims 6-8, wherein the data packet further comprises an identification field (202) containing an identifier of the transmitter, wherein the secret key is associated to the identifier of the transmitter, and wherein the method further comprises obtaining the secret key based on the identifier.

10. The method according to any one of the claims 6-9, further comprising:

computing a message authentication code over at least a part of the payload after decrypting, and using the secret key;

extracting a predefined number of bytes from the message authentication code to obtain further authentication information, the number of bytes being equal to or less than the length of the second field; and

comparing the further authentication information with the authentication information to verify an authenticity of the data packet.

11. The method according to claim 10, wherein the second field is set to a predetermined value other than the authentication information before computing the message authentication code, the predetermined value preferably being zero.

12. The method according to any one of the claims 6-11, wherein the data packet is a Bluetooth Low-Energy advertising packet data unit.

13. A transmitter (1a, 1b) configured for securing a beacon signal, wherein the transmitter comprises:

a processor configured to perform the method of any one of the claims 1-5;

an antenna for broadcasting the secure beacon signal to one or more receivers (3).

14. A receiver (3) configured for processing a received secure beacon signal, wherein the receiver comprises:

an antenna for receiving the secure beacon signal broadcast from a transmitter (1a, 1b);

a processor configured to perform the method of any one of the claims 6-12.

15. A secure beacon signal comprising a data packet (103), the data packet including a payload (106), wherein the payload comprises an encrypted first field (203) containing broadcast information from a transmitter (1a, 1b) and a second field (294) containing authentication information, wherein at least a part of the first field is encrypted, and wherein the secure beacon signal has been generated according to the method of any one of the claims 1-5.

Drawing

Search report

Search report